A new banking Trojan in the news, known as Neverquest, is active and being used to attack a number of popular banking websites. This Trojan can identify target sites by searching for specific keywords on web pages that victims are browsing. After infecting a system, the malware gives an attacker control of the infected machine with the help of a Virtual Network Computing (VNC, for remote access) and SOCKS proxy server. The Trojan targets several banking sites and steals sensitive information such as login credentials that customers enter into these websites. The Trojan also steals login information related to social networking sites (listed in the configuration file) like Twitter, and sends this information to its control server.
Once it infects a system, the Trojan drops a random-name DLL (for example, cjekvxk.dat) with a .dat extension in the %APPDATA% folder. The Trojan then automatically runs this DLL using regsvr32.exe /s [DLL PATH] by adding a key under “Software\Microsoft\Windows\CurrentVersion\Run\.” The Trojan tries to inject its malicious code into running processes and waits for browser processes such as iexplorer.exe or firefox.exe. Once the victim opens any site with these browsers, the Trojan requests the encrypted configuration file from its control server, as we see in this screenshot:
The Trojan generates a unique ID number that will be used in subsequent requests. The reply is encrypted with aPLib compression. The reply data is appended to an “AP32” string, followed by a decompression routine, as shown:
The configuration file contains a huge amount of JavaScript code, a number of bank websites, social networking websites, and list of financial keywords. The JavaScript code in the configuration file used to modify the page contents of the bank’s site to steal sensitive information. Let’s look at the configuration file:
The Trojan targets financial institutions including Bank of America, CitiBank, and many others. Here is a list of target sites found in the decrypted configuration file:
The Trojan asks for sensitive information by modifying the page contents that a victim visits. The configuration file also contains a list of social networking sites and a list of keywords related to banking:
If the Trojan finds any of the keywords on a web page, it will steal the full URL and all user-entered information and sends this data to the attacker:
The Trojan sends a unique ID number followed by the full URL containing username and password. (We’ve entered fake information to capture the logs.) The Trojan also sends all web page contents compressed with aPLib to the attacker in the following format:
The Trojan steals information entered on social networking sites listed in the configuration file and can use that data to further spread the malicious code:
The Trojan keeps on stealing new data and updating its configuration file. The attacker uses a SOCKS and VNC server to carry out malicious activities. Here is a snapshot of strings we found:
The Trojan can steal SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients. It can also steal FTP login credentials from various programs that can be used to distribute the malicious code:
We have also found an updated configuration file that contains code to request additional JavaScript files targeting financial sites such as BMO (Bank of Montreal), PayPal, RBC (Royal Bank of Canada), and others from a different malicious server. The malicious server has several web panels for collecting sensitive information from different financial sites–which shows attackers are learning and creating new fake pages for new sites. The JavaScript code:
The preceding JavaScript code is displayed in the victims’ browsers if they visit these sites. There are many banking Trojans, but Neverquest has more capabilities than most. Attackers can hide their tracks with the help of proxy and remote control and can carry out transactions from the infected machines. The Trojan can search for new banking sites with the help of financial keywords listed in the configuration file. The Trojan can also steal new banking URLs and their page contents, which eventually update its configuration file. In this way Neverquest can grow its target database to carry out future attacks.
I would like to thank my colleague Vikas Taneja for assistance with this research.